在AMI(Amazon)Linux上安装和配置Yara / phpmalwarefinder

时间:2019-02-20 17:41:30

标签: amazon-lightsail amazon-linux yara

我已经按照以下说明成功安装了Yara:https://yara.readthedocs.io/en/v3.8.1/gettingstarted.html#compiling-and-installing-yara,包括执行./configure --with-crypto,并且没有看到任何错误消息。

进入“进行检查”步骤时,出现以下两个失败。

PASS: test-alignment
PASS: test-atoms
PASS: test-api
FAIL: test-rules
FAIL: test-pe
PASS: test-elf
PASS: test-version
PASS: test-bitmask
PASS: test-math
PASS: test-exception

打开SSL版本:OpenSSL 1.0.2k-fips 26 Jan 2017

如果我运行phpmalwarefinder,我会得到

[ec2-user@ip-internal-ip php-malware-finder]$ ./phpmalwarefinder -v /var/www/html/mysite.org
./php.yar(1): error: unknown module "hash"
./whitelists/drupal.yar(10): error: invalid field name "sha1"
./whitelists/drupal.yar(8): error: can't open include file: whitelists/wordpress.yar
./whitelists/drupal.yar(9): error: can't open include file: whitelists/symfony.yar
./whitelists/drupal.yar(10): error: can't open include file: whitelists/phpmyadmin.yar
./whitelists/drupal.yar(11): error: can't open include file: whitelists/magento1ce.yar
./whitelists/drupal.yar(12): error: can't open include file: whitelists/magento2.yar
./whitelists/drupal.yar(13): error: can't open include file: whitelists/prestashop.yar
./whitelists/drupal.yar(14): error: can't open include file: whitelists/custom.yar
./whitelists/drupal.yar(21): error: invalid field name "sha1"
./whitelists/drupal.yar(63): error: invalid field name "sha1"
./whitelists/drupal.yar(76): error: invalid field name "sha1"
./whitelists/drupal.yar(85): error: invalid field name "sha1"
./whitelists/drupal.yar(99): error: invalid field name "sha1"
./whitelists/drupal.yar(110): error: invalid field name "sha1"
./whitelists/drupal.yar(116): error: undefined identifier "Symfony"
./whitelists/drupal.yar(95): warning: $pr contains .* or .+, consider using .{N} or .{1,N} with a reasonable value for N

1 个答案:

答案 0 :(得分:0)

我在这里发布了说明 https://github.com/nbs-system/php-malware-finder/issues/94

这是我如何运行它, 还有一个小补丁

git clone git@github.com:VirusTotal/yara.git
cd yara/
sudo yum install autoconf automake libtool  openssl-devel.x86_64  flex bison
YACC=bison ./configure
make

设置查找器

cd ..
git clone git@github.com:nbs-system/php-malware-finder.git
cd php-malware-finder/
~/GitHub/devops/yara/yara  -r ./php-malware-finder/php.yar  ~/GitHub/sourcetoscan/

必须对此进行修补(无重复)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 6a93fe1..029aaf9 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -159,7 +159,7 @@ rule DangerousPhp
         $ = "suhosin.executor.func.blacklist" nocase
         $ = "unregister_tick_function" fullword nocase
         $ = "win32_create_service" fullword nocase
-        $ = "xmlrpc_decode" fullword nocase nocase
+        $ = "xmlrpc_decode" fullword nocase
         $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();